Home > Security News > New Bagle variants on the prowl
Security News:
EMAIL THIS LICENSING & REPRINTS

New Bagle variants on the prowl

By Bill Brenner, Senior News Writer
21 Jun 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

The prolific Bagle worm is rising once again this week, arriving in email inboxes as an encrypted .zip attachment. According to several antivirus firms, the new versions spread using randomly chosen names programmed into its code.

Finnish security firm F-Secure Corp. announced the latest variants in its blog Tuesday, saying, "One Bagle per day -- it isn't a diet, it's a way of life." The company said it usually receives new Bagle variants once or twice a week, but that in the past week it has received a new variant each day.

Russian antivirus firm Kaspersky Lab rated one of the latest variants, Bagle-FY, as a moderate risk and said it has been spreading rapidly in the past 24 hours or so. "Kaspersky Lab is receiving increasing numbers of reports … from users around the world," the firm said on its Web site.

UK-based Sophos said one variant, Bagle-KL, spreads as an encrypted .zip email attachment that even carries a password. The randomly generated numerical password is communicated to the recipient by embedding an image into the email, the firm said. It also spreads using a subject line randomly chosen from 118 different names programmed into its code. The list of names includes Ann, Anthonie, Constance, Emanual, Frances, Geoffraie, Harrye, Humphrie, Judith, Margerie, Michael, Nicholas, Robert, Winifred, Johen, and Thomas.

The .zip file titles include Edmund.zip, Nicholaus.zip, Dorithie.zip, Henry.zip, Daniel.zip, Nycholas.zip, Judeth.zip, Sybyll.zip, Winifred.zip, Bennett.zip, and John.zip. Encrypted inside the attached Zip file is a copy of the worm.

Sophos said the body of the email can contain phrases such as "I love you" or "To the beloved," with advice on the five-digit password that should be used to open the .zip file.

When run, Sophos said, Bagle-KL attempts to disable various security applications and download malware from one of 99 different Web sites. Many of those Web sites are based in Poland, Russia and the Czech Republic.

"Users would be wise to resist the temptation of opening unsolicited attachments, and ensure their antivirus protection is kept up to date," Sophos Senior Technology Consultant Graham Cluley said in a statement.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Viruses, Worms and Other MalwareVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts